Government Regulations and Fundings Site
Cybersecurity for the Electric Sector
Implementing NERCs Cybersecurity Requirements
The North American Electric Reliability Council (NERC) issued a set of cybersecurity standards to ensure all entities responsible for the reliability of the bulk electric systems (BES) in North America identify and protect critical cyber assets that control or could impact the reliability of the bulk electric systems. Tenable makes it easy to comply with these standards while maintaining the security and productivity of your systems.
Request a DemoHow Tenable Can Help
NERC has established a set of cybersecurity standards to protect consumers and entities alike from cyber threats facing the U.S. bulk electric system.
This is only a partial list of NERC cybersecurity standards. For the complete list, please see here.
Regulation / Recommendation
- (CIP-002-5.1a) BES Cyber System Categorization.
How We Help
- R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3.
-
- i. Control Centers and backup Control Centers;
- ii. Transmission stations and substations;
- iii. Generation resources;
- iv. Systems and facilities critical to system restoration, including Blackstar Resources and Cranking Paths and initial switching requirements;
- v. Special Protection Systems that support the reliable operation of the Bulk Electric System; and
- vi. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1.
- R1. 1.1-1.3. Tenable provides visibility of IT and OT assets on a network. Users with admin privileges can label assets as high impact, medium impact, and low impact BES cyber systems in accordance with the definitions in Attachment 1, Section 2.
-
- 1.1. Identify each of the high-impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset;
- 1.2. Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset; and
- 1.3. Identify each asset that contains a low-impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low-impact BES Cyber Systems is not required).
- R2. The Responsible Entity shall:
-
- 2.1 Review the identifications in Requirement R1 and its parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and
How We Help
- R2. 2.1. Tenable tracks asset inventory in real-time, enabling users with admin rights to review and update asset labels when required, ensuring assets are correctly labeled.
Regulation / Recommendation
(CIP-005-6) Electronic Security Perimeter(s)
How We Help
- R1. Each Responsible Entity shall implement one or more documented processes that collectively include each of the applicable requirement parts in CIP-005-6 Table R1 – Electronic Security Perimeter.
-
- 1.5. Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications.
How We Help
- R1.5. Tenable can detect known or suspected malicious communications for both inbound and outbound, including communications across boundaries.
- R2. Each Responsible Entity shall implement one or more documented processes that collectively include the applicable requirement parts, where technically feasible, in CIP-005-6 Table R2 – Remote Access Management.
-
- 2.4. Have one or more methods for determining active vendor remote access sessions (including Interactive Remote Access and system-to-system remote access).
How We Help
- R2.4. Tenable monitors for remote access to systems in real-time, enabling users to identify active vendor remote access sessions.
Regulation / Recommendation
(CIP-007-6) System Security Management
How We Help
- R1. Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-007-6 Table R1 – Ports and Services.
-
- 1.2. Protect against the use of unnecessary physical input/output ports used for network connectivity, console commands, or Removable Media
How We Help
- R1.2.Tenable monitors and documents all communications from input/output ports used for network connectivity, console commands, or removable media, ensuring users can protect against unnecessary use.
- R2. Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-007-6 Table R2 – Security Patch Management.
-
- 2.1. A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists.
- 2.2. At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1.
- 2.3. For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take one of the following actions: Apply the applicable patches; or Create a dated mitigation plan; or Revise an existing mitigation plan. Mitigation plans shall include the Responsible Entity’s planned actions to mitigate the vulnerabilities addressed by each security patch and a timeframe to complete these mitigations.
How We Help
- R2.1-2.2.Tenable facilitates a patch management program for tracking, evaluating and installing cybersecurity patches for applicable cyber assets. Tenable identifies available patches, the source or sources for the release of cybersecurity patches for applicable cyber assets and can identify critical, high, medium and low criticality security patches. Tenable can aid in the evaluation of security patches for applicability. In addition, Tenable provides vulnerability priority rating (VPR) scores that help users assess the need to patch versus not.
- R2.3. Tenable can be an integral part of the plan to meet the 35-calendar-day timeline for completing an evaluation and:
- Apply the applicable patches
- Create a dated mitigation plan
- Revise an existing mitigation plan
- R4. Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-007-6 Table R4 – Security Event Monitoring.
-
- 4.1.
Log events at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security Incidents that includes, as a minimum, each of the following types of events:
-
- 4.1.1. Detected successful login attempts;
- 4.1.3. Detected malicious code.
- 4.1.
How We Help
- R4. 1.1. & 4.1.3. Tenable logs successful login events and malicious code events at the BES Cyber System level for identification of, and after-the-fact investigations of, cybersecurity incidents.
-
- 4.2.Generate alerts for security events that the Responsible Entity determines necessitates an alert, that includes, as a minimum, each of the following types of events (per Cyber Asset or BES Cyber System capability):
- 4.2.1. Detected malicious code from Part 4.1
- 4.2.
How We Help
- R 4. 2.1. Tenable generates alerts when malicious code is detected on cyber assets or BES Cyber Systems.
-
- 4.3. Where technically feasible, retain applicable event logs identified in Part 4.1 for at least the last 90 consecutive calendar days except under CIP Exceptional Circumstances.
- 4.4. Review a summarization or sampling of logged events as determined by the Responsible Entity at intervals no greater than 15 calendar days to identify undetected Cyber Security Incidents.
How We Help
- R4. 3-4.4. Tenable can forward applicable event logs identified in Part 4.1 to syslog servers for long-term retention and enable further analysis to identify undetected cybersecurity incidents and meet the 15-calendar-day review requirements.
Regulation / Recommendation
(CIP-008-6) Incident Reporting and Response Planning
How We Help
- R1. Each Responsible Entity shall document one or more Cyber Security Incident response plan(s) that collectively include each of the applicable requirement parts in CIP-008-6 Table R1 – Cyber Security Incident Response Plan Specifications.
-
- 1.1. One or more processes to identify, classify, and respond to Cyber Security Incidents.
- 1.2.
One or more processes:
- 1.2.1. That include criteria to evaluate and define attempts to compromise;
- 1.2.2. To determine if an identified Cyber Security Incident is:
A Reportable Cyber Security Incident; or
An attempt to compromise, as determined by applying the criteria from Part 1.2.1, one or more systems identified in the “Applicable Systems” column for this Part; and
- 1.2.3. To provide notification per Requirement R4.
How We Help
- R1. 1-1.2. Tenable’s role in CIP-008-6 is to detect incidents and attempts to compromise, and be the source of evidence for reporting requirements, resulting in reducing incident response time.
- R2. Each Responsible Entity shall implement each of its documented Cyber Security Incident response plans to collectively include each of the applicable requirement parts in CIP-008-6 Table R2 – Cyber Security Incident Response Plan Implementation and Testing.
-
- 2.3. Retain records related to Reportable Cyber Security Incidents and Cyber Security Incidents that attempted to compromise a system identified in the “Applicable Systems” column for this Part as per the Cyber Security Incident response plan(s) under Requirement R1.
How We Help
- R2. 2.3. Tenable provides incident data to support retention requirements related to reportable cybersecurity incidents that attempted to compromise a system.
- R4. Each Responsible Entity shall notify the Electricity Information Sharing and Analysis Center (E-ISAC) and, if subject to the jurisdiction of the United States, the United States National Cybersecurity and Communications Integration Center (NCCIC),1 or their successors, of a Reportable Cyber Security Incident and a Cyber Security Incident that was an attempt to compromise, as determined by applying the criteria from Requirement R1, Part 1.2.1, a system identified in the “Applicable Systems” column, unless prohibited by law, in accordance with each of the applicable requirement parts in CIP-008-6 Table R4 – Notifications and Reporting for Cyber Security Incidents.
-
-
4.1.
Initial notifications and updates shall include the following attributes, at a minimum, to the extent known:
- 4.1.1 The functional impact;
- 4.1.2 The attack vector used; and
- 4.1.3 The level of intrusion that was achieved or attempted.
-
4.1.
How We Help
- R4. 4.1. Tenable provides incident data to identify functional impact, attack vector used, and level of intrusion that was achieved or attempted.
-
- 4.2.
After the Responsible Entity’s determination made pursuant to documented process(es) in Requirement R1, Part 1.2, provide initial notification within the following timelines:
- One hour after the determination of a Reportable Cyber Security Incident.
- By the end of the next calendar day after determination that a Cyber Security Incident was an attempt to compromise a system identified in the “Applicable Systems” column for this Part.
- 4.3. Provide updates, if any, within 7 calendar days of determination of new or changed attribute information required in Part 4.1.
- 4.2.
How We Help
- R4. 4.2-4.3. Tenable operates continuously and in real-time with programmable alerting capabilities supporting timeline requirements outlined in R4.2 and R4.3
Regulation / Recommendation
(CIP-010-3) Configuration Change Management and Vulnerability
How We Help
- R1. Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-010-3 Table R1 – Configuration Change Management.
-
- 1.1.
Develop a baseline configuration, individually or by group, which shall include the following items
- 1.1.1 Operating system(s) (including version) or firmware where no independent operating system exists;
- 1.1.2. Any commercially available or open-source application software (including version) intentionally installed;
- 1.1.3. Any custom software installed;
- 1.1.4. Any logical network accessible ports; and
- 1.1.5. Any security patches applied.
- 1.2 Authorize and document changes that deviate from the existing baseline configuration.
- 1.1.
How We Help
- R1. 1.1- 1.2. Tenable records an initial code configuration and takes periodic code snapshots. Upon any change in code, Tenable takes a snapshot and documents the differential between the current version of code, and any prior version of code, including the baseline, for individual OT assets. Tenable can provide:
-
-
- Operating system(s), including version or firmware
- Any commercially available or open-source application software, including version
- Any custom software installed
- Any logical network accessible ports
- Any security patches applied
-
- R2. Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-010-3 Table R2 – Configuration Monitoring.
-
- 2.1. Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes
How We Help
- R2. 2.1. Tenable monitors changes in configuration continuously and in real-time, with programmable alerting capabilities aiding in investigation of detected unauthorized changes.
- R3. Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-010-3 Table R3– Vulnerability Assessments.
-
- 3.1 At least once every 15 calendar months, conduct a paper or active vulnerability assessment.
- 3.2
Where technically feasible, at least once every 36 calendar months:
- 3.2.1. Perform an active vulnerability assessment in a test environment, or perform an active vulnerability assessment in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration of the BES Cyber System in a production environment; and
- 3.2.2. Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments.
How We Help
- R3. 3.1-3.2.Tenable monitors vulnerabilities in real-time and provides reports that support the vulnerability assessment process.
Regulation / Recommendation
(CIP-012-1) Communications between Control Centers
How We Help
- R1. The Responsible Entity shall implement, except under CIP Exceptional Circumstances, one or more documented plan(s) to mitigate the risks posed by unauthorized disclosure and unauthorized modification of Real-time Assessment and Real-time monitoring data while being transmitted between any applicable Control Centers. The Responsible Entity is not required to include oral communications in its plan. The plan shall include:
-
- 1.1. Identification of security protection used to mitigate the risks posed by unauthorized disclosure and unauthorized modification of Real-time Assessment and Real-time monitoring data while being transmitted between Control Centers;
- 1.2 Identification of where the Responsible Entity applied security protection for transmitting Real-time Assessment and Real-time monitoring data between Control Centers; and
- 1.3. If the Control Centers are owned or operated by different Responsible Entities, identification of the responsibilities of each Responsible Entity for applying security protection to the transmission of Real-time Assessment and Real-time monitoring data between those Control Centers.
How We Help
- R1. 1.1.- 1.3. Tenable detects and documents communications between control centers in real-time, recording details such as source and destination assets and communication protocols.
Regulation / Recommendation
(CIP-013-1) Supply Chain Risk Management
How We Help
- R1. Each Responsible Entity shall develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems. The plan(s) shall include:
-
- 1.1.
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from:
- (i) procuring and installing vendor equipment and software; and
- (ii) transitions from one vendor(s) to another vendor(s).
- 1.2
One or more process(es) used in procuring BES Cyber Systems that address the following, as applicable:
- 1.1.
-
-
- 1.2.2. Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity
- 1.2.3. Notification by vendors when remote or onsite access should no longer be granted to vendor representatives;
- 1.2.6.
Coordination of controls for
- (i) vendor-initiated Interactive Remote Access, and
- (ii) system-to-system remote access with a vendor(s).
-
- R1. 1.2.2., 1.2.3. and 1.2.6. Tenable monitors vendor assets for security-related incidents related to vendor products or services that pose cybersecurity risks. Tenable can monitor vendor remote access sessions in real-time.
Available Government Funding for the Electric Sector
Electric utilities, bulk power system owners and operators, public entities and others can take advantage of new funding opportunities provided in the Infrastructure Investment and Jobs Act for Department of Energy programs.
Some available funding programs:
- Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance (RMUC) Program: A $250 million grant program for rural electric cooperatives and electric utilities to protect against, detect, respond to, and recover from cybersecurity threats.
- Advanced Energy Security Program: A $50 million program to increase the functional preservation of electric grid operations or natural gas and oil operations in the face of threats and hazards, including cybersecurity.
- Energy Sector Operational Support for Cyber Resilience Program: A $50 million grant program to provide technical assistance to small electric utilities for purposes of assessing and improving cyber maturity levels and addressing gaps identified in the assessment.
- Smart Grid Grant Program: A competitive grant program that provides $3 billion over five years to utilities to expand smart grid investments.
Regulation and government funding information provided on this web page is dynamic and subject to change. Refer to nerc.com for the most up-to-date information.